FreeBSD 5.3 routing IPFW FWD'd packets?
James R. Van Artsalen
james at jrv.org
Tue Nov 30 10:42:01 PST 2004
Achim Patzner wrote:
> Packets sent to the directly reachable net 192.168.254/8 (rule 64000)
> seem to work. Is it possible that packets are somehow being routed
> after being FWD'd by IPFW?
>
> The counters show that the rule is applied, too. Just the "fwd" part
> is not happening.
I'm suspicious of this code in netinet/ip_output.c:
#ifdef IPFIREWALL_FORWARD
...
fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
if (fwd_tag) {
if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) {
dst = (struct sockaddr_in *)&ro->ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
m->m_flags |= M_SKIP_FIREWALL;
m_tag_delete(m, fwd_tag);
goto again;
} else {
m_tag_delete(m, fwd_tag);
/* Continue. */
}
}
#endif
passout:
this seems to be where FWD is handled in this case. The problem is that
33 lines above I see this code:
/* Jump over all PFIL processing if hooks are not active. */
if (inet_pfil_hook.ph_busy_count == -1)
goto passout;
It looks like me like IPFW forwarding isn't going to happen here unless
there is some PFIL around.
More information about the freebsd-ipfw
mailing list